Token authentication timeout

I'm seeing some behavior I don't understand with token timeouts. My code creates a token with a 60 minute, 100 login limit:
try
   ISessionMgr        sessionMgr        = CrystalEnterprise.getSessionMgr();
   IEnterpriseSession enterpriseSession = sessionMgr.logon(id, pwd, server, type);
   // Now create the login token
   ILogonTokenMgr logonTokenMgr = enterpriseSession.getLogonTokenMgr();
   token = logonTokenMgr.createWCAToken("", 60, 100);
catch(Exception e)
   throw new LoginHelperException(e);
I have a web front end that calls various services. All these services begin with an auth check that looks something like this:
try
   if(token == null)
      throw new LoginHelperException("Missing token");
   else
      enterpriseSession = CrystalEnterprise.getSessionMgr().logonWithToken(token);
I am not storing the enterpriseSession in my web session. I create a new one with the token for every request.  It's my understanding I should only have to create a new token after 60 minutes, or after 100 calls to logonWithToken(), which ever comes first. But what I'm seeing in practice is an auth exception after only a few minutes.
2008-11-14 09:41:39,457 ERROR [http-8080-Processor24] (report_jsp.java:120) - Exception in report.jsp
com.reporting.bo.exceptions.LoginHelperException: com.crystaldecisions.sdk.exception.SDKServerException: An error occurred at the server :
Session ID is not valid.
cause:com.crystaldecisions.enterprise.ocaframework.idl.OCA.oca_abuse: IDL:img.seagatesoftware.com/OCA/oca_abuse:3.2
detail:An error occurred at the server :
Session ID is not valid.
The server supplied the following details: OCA_Abuse exception 10503 at [exceptionmapper.cpp : 65]  42436 {}
        ...Session ID is not valid. Original session not available for ONEOFF logon
Am I misunderstanding how tokens work? I'd like for the token to be valid for more than 10 minutes.

You're using the WCA token.
Validity lifetime of a WCA token is tied to the originating EnterpriseSession that created it.
Since the originating EnterpriseSession is going out of scope in your code, it gets GC'ed.
When the CMS detects that the EnterpriseSession no longer exists, it invalidates all WCA tokens associated with it.
Next time you try to use the WCA token, it fails.
So either use the Logon Token - that uses a CAL each time you use it - or keep the EnterpriseSession live but make sure you log it off when you're done with it.
Sincerely,
Ted Ueda

Similar Messages

  • P6WS "WSS header is missing from request. Can't do username token authentication."

    I am getting the error "WSS header is missing from request. Can't do username token authentication." when trying to connect with SOAP and use Token Auth. I can get Cookies to work just fine, but i need to be able to connect to both.
    testWebReference.Login clientLogin = new testWebReference.Login();
    testWebReference.LoginResponse clResponse = new testWebReference.LoginResponse();
    testWebReference.AuthenticationService authClient = new AuthenticationService();
    clientLogin.UserName = paUsername.Text;
    clientLogin.Password = paPassword.Text;
    clientLogin.DatabaseInstanceId = Int32.Parse(paDBI.Text);
    clientLogin.DatabaseInstanceIdSpecified = true;
    AuthenticationService service = new AuthenticationService();
    service.Url = proxy;
    service.SoapVersion = System.Web.Services.Protocols.SoapProtocolVersion.Soap11;
    service.Login(clientLogin);

    I uploaded an example of usertoken on My Oracle Support community.
    TestUserToken.zip
    V/r,
    Gene

  • Cannot find a token authenticator for the 'System.IdentityModel.Tokens.X509SecurityToken' token type. Tokens of that type cannot be accepted according to current security settings.

    i am using a custom binding in the BTS Adapter with the following elements (similar to TransportWithMessageCredential with both the client and the server certs)
     encoding (soap11)
     https transport
    Security : CertificateOverTransport
    Problem: the request is sent successfully, but when i receive the response in BizTalk i get the following error
    System.ServiceModel.Security.MessageSecurityException: An unsecured or incorrectly secured fault was received from the other party. ,after turning on tracing in the WCF Trace the following error is present "Tokens of that type
    cannot be accepted according to current security settings. "
    Solutions tried
    1) Changed the security to MutualCertificate , this time request also fails with the following error message  The remote endpoint did not provide a domain name system (DNS) claim and therefore did not satisfied DNS identity 'xxxx.com'.
    This may be caused by lack of DNS or CN name in the remote endpoint X.509 certificate's distinguished name.
    Binding configuration
     <behaviors>
          <endpointBehaviors>
            <behavior name="EndpointBehavior">
              <clientCredentials>
                <clientCertificate findValue="XXXXXXXXXXXXXXX" x509FindType="FindByThumbprint" />
                <serviceCertificate>
                  <defaultCertificate findValue="XXXXXXXXXXXX" storeName="TrustedPeople" x509FindType="FindByThumbprint" />
                  <authentication certificateValidationMode="None" revocationMode="NoCheck" />
                </serviceCertificate>
              </clientCredentials>
            </behavior>
          </endpointBehaviors>
          <serviceBehaviors>
            <behavior name="ServiceBehavior" />
          </serviceBehaviors>
        </behaviors>
        <bindings>
          <customBinding>
            <clear />
            <binding name="XXXXXXXXX">
              <textMessageEncoding messageVersion="Soap11" />
              <security allowSerializedSigningTokenOnReply="true" authenticationMode="CertificateOverTransport" requireDerivedKeys="false" securityHeaderLayout="Lax" messageSecurityVersion="WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
    requireSecurityContextCancellation="false">
                <secureConversationBootstrap />
              </security>
              <httpsTransport />
            </binding>
          </customBinding>
        </bindings>
    Thanks -Madhu

    Please refer to the similar discussion:
    http://social.msdn.microsoft.com/Forums/en-US/6a3d38ee-30ca-43fb-b906-6e95808df69d/cannot-find-a-token-authenticator-for-the-systemidentitymodeltokensx509securitytoken-token?forum=wcf

  • Authentication Timeout

    I have an ASA 5520 and I am having trouble getting the AnyConnect VPN authentication timeout feature to work properly. I thought I did have it working a couple of months ago, but right now it is not giving me more than the default 12 seconds. I have tried intervals of anywhere from 25 seconds up to 120. I am currently runnign version 6.4 on the ASA and AnyConnect 2.5.3055. Any input is appreciated.
    Thanks!

    I think I am now talking to myself, but hopefully this helps someone else someday!
    The profiles located in C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\Profile were not updated. The client was using both the wrong profile AND an outdated profile. I modified the profile locally and the client worked fine. Now I need to determine why the client profile's are not being downloaded.

  • Token authentication error

    When I try to open an app I get a token authentication error. What does it mean?

    Ah i feel like a bit of a fool. It had reset it but i didnt read what it said, and it actually wanted the current password. Its been a long day.
    Thanks for the help though :)

  • ISE machine authentication timeout

    Hi all,
    We have a ISE infrastructure and we have enabled user and machine authentication through EAP-TLS.
    Everything is working fine except that every 1 hour user must log off and login again because machine authentication has, I think, expired!
    As you can imagine this is unacceptable. I saw that the machine restriction age is only 1 hour and changed it to 8 hours.
    My question is if machine restarts at 7 hours past first successful authentication will the timer reset or after an hour will be kicked and have to log off and in again?
    How have you bypassed the timeout of mar cache?
    My ISE version is 1.2 with 2 patches installed
    Thank you
    Sent from Cisco Technical Support iPad App

    Hi
    Cisco ISE contains a Machine Access Restriction (MAR) component that provides an additional means of controlling authorization for Microsoft Active Directory-authentication users. This form of authorization is based on the machine authentication of the computer used to access the Cisco ISE network. For every successful machine authentication, Cisco ISE caches the value that was received in the RADIUS Calling-Station-ID attribute (attribute 31) as evidence of a successful machine authentication.
    Cisco ISE retains each Calling-Station-ID attribute value in cache until the number of hours that was configured in the "Time to Live" parameter in the Active Directory Settings page expires. Once the parameter has expired, Cisco ISE deletes it from its cache.
    When a user authenticates from an end-user client, Cisco ISE searches the cache for a Calling-Station-ID value from successful machine authentications for the Calling-Station-ID value that was received in the user authentication request. If Cisco ISE finds a matching user-authentication Calling-Station-ID value in the cache, this affects how Cisco ISE assigns permissions for the user that requests authentication in the following ways:
    • If the Calling-Station-ID value matches one found in the Cisco ISE cache, then the authorization profile for a successful authorization is assigned.
    • If the Calling-Station-ID value is not found to match one in the Cisco ISE cache, then the authorization profile for a successful user authentication without machine authentication is assigned.

  • Wlc 5500 authentication timeout

    I have a WLC 5500 controller. I have two WLANS (OBSD-Internal and OBSD-BYOD). I have authentication setup to the WLC for the BYOD WLAN using LDAP (users connect with an AD user account). They are required to re authenticate every few minutes. This only happens on the BYOD WLAN (not Internal)                  

    Scott-
    Here are the results of the sho WLAN cmd:
    (Cisco Controller) >show wlan 3
    WLAN Identifier.................................. 3
    Profile Name..................................... OBSD BYOD
    Network Name (SSID).............................. OBSD-BYOD
    Status........................................... Enabled
    MAC Filtering.................................... Disabled
    Broadcast SSID................................... Enabled
    AAA Policy Override.............................. Disabled
    Network Admission Control
      Radius-NAC State............................... Disabled
      SNMP-NAC State................................. Disabled
      Quarantine VLAN................................ 0
    Maximum number of Associated Clients............. 0
    Number of Active Clients......................... 25
    Exclusionlist Timeout............................ 60 seconds
    Session Timeout.................................. Infinity
    CHD per WLAN..................................... Enabled
    Webauth DHCP exclusion........................... Disabled
    Interface........................................ g9c-guest
    Multicast Interface.............................. Not Configured
    --More-- or (q)uit
    WLAN ACL......................................... Guest WiFi Internet Only
    DHCP Server...................................... Default
    DHCP Address Assignment Required................. Disabled
    Static IP client tunneling....................... Disabled
    Quality of Service............................... Silver (best effort)
    Scan Defer Priority.............................. 4,5,6
    Scan Defer Time.................................. 100 milliseconds
    WMM.............................................. Allowed
    WMM UAPSD Compliant Client Support............... Disabled
    Media Stream Multicast-direct.................... Disabled
    CCX - AironetIe Support.......................... Enabled
    CCX - Gratuitous ProbeResponse (GPR)............. Disabled
    CCX - Diagnostics Channel Capability............. Disabled
    Dot11-Phone Mode (7920).......................... Disabled
    Wired Protocol................................... None
    IPv6 Support..................................... Disabled
    Passive Client Feature........................... Disabled
    Peer-to-Peer Blocking Action..................... Disabled
    Radio Policy..................................... All
    DTIM period for 802.11a radio.................... 1
    DTIM period for 802.11b radio.................... 1
    Radius Servers
       Authentication................................ Global Servers
    --More-- or (q)uit
       Accounting.................................... Global Servers
       Dynamic Interface............................. Disabled
    Local EAP Authentication......................... Disabled
    Security
       802.11 Authentication:........................ Open System
       Static WEP Keys............................... Disabled
       802.1X........................................ Disabled
       Wi-Fi Protected Access (WPA/WPA2)............. Disabled
       CKIP ......................................... Disabled
       Web Based Authentication...................... Enabled
    ACL............................................. Web Auth
    Web Authentication server precedence:
    1............................................... local
    2............................................... radius
    3............................................... ldap
       Web-Passthrough............................... Disabled
       Conditional Web Redirect...................... Disabled
       Splash-Page Web Redirect...................... Disabled
       Auto Anchor................................... Disabled
       H-REAP Local Switching........................ Disabled
       H-REAP Local Authentication................... Disabled
       H-REAP Learn IP Address....................... Enabled
    --More-- or (q)uit
       Client MFP.................................... Optional but inactive (WPA2 not configured)
       Tkip MIC Countermeasure Hold-down Timer....... 60
    Call Snooping.................................... Disabled
    Roamed Call Re-Anchor Policy..................... Disabled
    SIP CAC Fail Send-486-Busy Policy................ Enabled
    SIP CAC Fail Send Dis-Association Policy......... Disabled
    Band Select...................................... Disabled
    Load Balancing................................... Disabled
    Mobility Anchor List
    WLAN ID     IP Address            Status

  • 5508 web authentication timeout problem

    If any authenticated user uses protocol other than (http, https) within timeout period,
    that user is deuthenticated, why? solution?

    Are you referring to idle timeout OR session timeout?
    Once a web auth client is authenticated, he has full access and can run any protocol unless
    - restricted by an ACL on controller OR switch with gateway OR firewall.
    c) On WLC CLI, run
    config paging disable
    show run-config
    show traplog
    show msglog
    b) From switch that has L3 SVI for the guest subnet, send
    show run interface vlan x

  • Token authentication

    Hi,
    We have an ASA running ver 8.4.
    There are servers using remote sessions like ssh via these firewalls. Now when users access these servers via ssh , does asa support a 2 factor authentication for such access.
    the requirement is to have to prompt for a token request when these servers are accessed via ssh through the firewall.
    Appreciate all inputs!

    Hi.
    I suppose you're using the 3rd party authentication in SSGD coupled with a token (and possibly a RADIUS autentication) but I could be wrong.
    Could you please share with us a bit more about your SSGD/token infrastructure (eg, if you're using mod_auth_radius, mod_auth_xradius or the embedded support for RSA tokens)?
    Thanks,
    Rob

  • RSA-Token Authentication WLC 5500

    I can configure "RSA Secure ID" or "Token" ti authenticate users in a WLAN in the Wireless LAN Controller 5500 series?
    That is possible??

    LeeJohns,
    We are testing this type of Authentication our components are:
    1.- Wireless LAN Controller 5508
    2.- LAP 1141
    3.- RSA Authentication Manager 6.1
    We are don´t have External Radius serves as Cisco ACS.
    We add the Managment IP Address of the WLC into "Radius Client" from the RSA Authentication Manager 6.1.
    The configuration of the WLC is:
    1.- Security / Radius / Authentication: IP Address of the RSA Authentication Manager.
    2.- WLAN / Layer 2 Security : 802.1X / AAA Servers IP Address of the RSA Manager.
    Configuration of the RSA Authentication Manager.
    1.- RSA Authentication Manager > Add Agent Host > Network Address: Managment IP Address WLC
    2.- In the RSA Client enter the same shared key entered in the WLC.
    The WLAN show the prompt : Enter Username and Password when the user try to connect to the Wireless Network, the user enter the username/password and the authentication failed.
    Is necesary the Radius Server ?
    Thanks

  • Web authentication timeout problem

       We have one SSID using web-auth with ISE.
    On WLC we configured idle timeout fot 2400 seconds and on wlan>advanced with 65535 seconds for session timeout. But we are having continuos deauthentication in about 10 minutes.
    When we check WLC, our mac-address is deleted after about each 10 minutes
    How Can I solved this issue?

    On this wlan we are using Web-Auth with WPA2 + PSK.
    Software version 7.0.220
    another ssid not have this problem.
    debug client
    *dot1xMsgTask: Sep 20 12:33:29.788: 00:1c:26:ac:d9:e5 Key exchange done, data packets from mobile 00:1c:26:ac:d9:e5 should be forwarded shortly
    *dot1xMsgTask: Sep 20 12:33:29.788: 00:1c:26:ac:d9:e5 Sending EAPOL-Key Message to mobile 00:1c:26:ac:d9:e5
       state PTKINITDONE (message 5 - group), replay counter 00.00.00.00.00.00.00.02
    *dot1xMsgTask: Sep 20 12:33:29.788: 00:1c:26:ac:d9:e5 Updated broadcast key sent to mobile 00:1C:26:AC:D9:E5
    *osapiBsnTimer: Sep 20 12:33:30.986: 00:1c:26:ac:d9:e5 802.1x 'timeoutEvt' Timer expired for station 00:1c:26:ac:d9:e5 and for message = M5
    *dot1xMsgTask: Sep 20 12:33:30.986: 00:1c:26:ac:d9:e5 Retransmit 1 of EAPOL-Key M5 (length 139) for mobile 00:1c:26:ac:d9:e5
    *osapiBsnTimer: Sep 20 12:33:31.986: 00:1c:26:ac:d9:e5 802.1x 'timeoutEvt' Timer expired for station 00:1c:26:ac:d9:e5 and for message = M5
    *dot1xMsgTask: Sep 20 12:33:31.986: 00:1c:26:ac:d9:e5 Retransmit 2 of EAPOL-Key M5 (length 139) for mobile 00:1c:26:ac:d9:e5
    *osapiBsnTimer: Sep 20 12:33:32.986: 00:1c:26:ac:d9:e5 802.1x 'timeoutEvt' Timer expired for station 00:1c:26:ac:d9:e5 and for message = M5
    *dot1xMsgTask: Sep 20 12:33:32.986: 00:1c:26:ac:d9:e5 Retransmit failure for EAPOL-Key M5 to mobile 00:1c:26:ac:d9:e5, retransmit count 3, mscb deauth count 0
    *dot1xMsgTask: Sep 20 12:33:32.986: 00:1c:26:ac:d9:e5 Sent Deauthenticate to mobile on BSSID 40:f4:ec:4a:b0:f0 slot 0(caller 1x_ptsm.c:534)
    *dot1xMsgTask: Sep 20 12:33:32.986: 00:1c:26:ac:d9:e5 Scheduling deletion of Mobile Station:  (callerId: 57) in 10 seconds
    *osapiBsnTimer: Sep 20 12:33:42.986: 00:1c:26:ac:d9:e5 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
    *apfReceiveTask: Sep 20 12:33:42.986: 00:1c:26:ac:d9:e5 apfMsExpireMobileStation (apf_ms.c:5009) Changing state for mobile 00:1c:26:ac:d9:e5 on AP 40:f4:ec:4a:b0:f0 from Associated to Disassociated
    *apfReceiveTask: Sep 20 12:33:42.986: 00:1c:26:ac:d9:e5 Scheduling deletion of Mobile Station:  (callerId: 45) in 10 seconds
    *osapiBsnTimer: Sep 20 12:33:52.986: 00:1c:26:ac:d9:e5 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
    *apfReceiveTask: Sep 20 12:33:52.986: 00:1c:26:ac:d9:e5 Sent Deauthenticate to mobile on BSSID 40:f4:ec:4a:b0:f0 slot 0(caller apf_ms.c:5101)
    *apfReceiveTask: Sep 20 12:33:52.986: 00:1c:26:ac:d9:e5 apfMsAssoStateDec
    *apfReceiveTask: Sep 20 12:33:52.986: 00:1c:26:ac:d9:e5 apfMsExpireMobileStation (apf_ms.c:5139) Changing state for mobile 00:1c:26:ac:d9:e5 on AP 40:f4:ec:4a:b0:f0 from Disassociated to Idle
    *apfReceiveTask: Sep 20 12:33:52.986: 00:1c:26:ac:d9:e5 Scheduling deletion of Mobile Station:  (callerId: 47) in 10 seconds
    *osapiBsnTimer: Sep 20 12:34:02.986: 00:1c:26:ac:d9:e5 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
    *apfReceiveTask: Sep 20 12:34:02.986: 00:1c:26:ac:d9:e5 10.166.66.248 RUN (20) Deleted mobile LWAPP rule on AP [40:f4:ec:4a:b0:f0]
    Do you have any suggestion about log or debug ?
    thanks a lot,
    Murilo

  • SGD with RSA Token Authentication - Is it all or nothing?

    We are investigating having RSA authentication in SGD, but we only want to force its usage for a subset of users. Based on what I can see in the docs and the screen its not clear if its all or nothing.

    We have the same question from a customer.
    Here is my suggestion:
    Have two sgd servers. Both are in one array. Because LDAP and RSA are global configurations, both sgd server cann handle loggins via these authorities.
    To prevent login via RSA in sgd1, disable the route to the RSA server.
    To prevent login via ldap in sgd2, disable the route to the LDAP server.
    The sgd2 should be the primary and the login of the admin Console, so DSI will work.
    Another thought with a dead end is: RSA via 3Party and http.conf preventing access from a network. This can work, but not with firewall traversal, because the apache sees only the localhost.
    Would be happy to have more suggestion about this.

  • Wireless Web authentication timeout

    Hello, our wireless web authentication is usually timing out after half an hour of inactivity. How can i increase it so people do not need to reauthenticate after 30 min of inactivity?
    Thanks in advance.

    It's in the WLAN definition on the Advanced tab.

  • Custom Token authentication using OAM 11g

    Hi All,
    I have the following requirement: Authenticate a resource based on custom token if it is null or not. There is no need to map the token with an user record.
    Environment is all 11g.
    What is the best way to implement it? Is it possible to do it with just OAM 11g alone? Or does it require Oracle STS too? Please provide your inputs.
    Thanks,
    Mahendra.
    Edited by: 903004 on Jan 8, 2012 9:08 PM

    Can someone provide inputs on this? Please treat this as urgent.

  • 802.1x EAP-TLS with NPS/W2008 - Authentication result 'timeout'

    Hello
    [Env on my lab investigation]
    supplicant - W7 with cert
    authenticator - Catalyst 2960 with IOS 15.0(1)SE2 /newest/
    authentication server 2x - W2008/NPS like a RADIUS server
    [Config some part of authenticator]
    interface FastEthernet0/1
    switchport access vlan 34
    switchport mode access
    authentication event fail retry 1 action authorize vlan 47
    authentication event server dead action authorize vlan 35
    authentication event no-response action authorize vlan 47
    authentication event server alive action reinitialize
    authentication port-control auto
    dot1x pae authenticator
    dot1x timeout quiet-period 15
    dot1x timeout tx-period 15
    spanning-tree portfast
    [Symptoms]
    After reboot authenticator the supplican connected to FE0/1 finally put into the Guest VLAN 47 and before that I saw on the authenticators console Authentication result 'timeout', but when the switch is up and running the the same port authenticator FE0/1 the same supplicant W7 with cert now I connect to authenticator finally supplicant put into static VLAN 34.
    [Summary]
    The problem is the end station that are still connected to the supplicant port /use a EAP-TLS/ after the reboot supplicant! All of them will be put into the Guest VLAN instead of static VLAN 34!
    [The question]
    What is wrong and how to configure/tune and what authenticator or authentication server to prevent after the reboot to observe a authentication timeouts?
    Of course the supplicant after 20 minutes /next EAPOL start farmet put into VLAN 34 .
    [Logs]
    During this I observed the wireshark supplicant and authenticator console and NPS wireshark, below:
    1. supplicant and authenticator orderflow at wireshar:
    - supplicant EAPOL Start
    - authenticator EAP Request Identity
    - supplicat  Response Identity, 3 times
    - supplicant EAPOL Start
    - authenticator EAP Failure
    - authenticator EAP Request Identity x2
    - supplicat  Response Identity x2
    and again, more detail about flow from whireshar chart at the end
    2. authenticator console saw like this:
    *Mar  1 00:02:51.563: %DOT1X-5-FAIL: Authentication failed for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
    *Mar  1 00:02:51.563: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
    *Mar  1 00:02:51.563: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
    krasw8021x>
    *Mar  1 00:03:52.876: %DOT1X-5-FAIL: Authentication failed for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
    *Mar  1 00:03:52.876: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
    *Mar  1 00:03:52.876: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
    and finaly
    *Mar  1 00:05:00.286: %AUTHMGR-5-VLANASSIGN: VLAN 47 assigned to Interface Fa0/1 AuditSessionID 0A0E2E96000000040003C914
    *Mar  1 00:05:01.167: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Fa0/1 AuditSessionID 0A0E2E96000000040003C914
    *Mar  1 00:05:01.302: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
    3. Authentication server:
    - NPS doesn'e recived any RADIUS Access-Request/Response.
    [supplicant EAPOL flow chart, source wireshark]
    |Time     | Cisco_f9:98:81                        | Dell_12:cf:80                         |
    |         |                   | Nearest           |                  
    |0,041    |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |0,045    |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |0,051    |                   |         Start     |                   |EAPOL: Start
    |         |                   |(0)      <------------------  (0)      |
    |0,065    |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |0,075    |                   |         Response, Identity            |EAP: Response, Identity [RFC3748]
    |         |                   |(0)      <------------------  (0)      |
    |0,075    |                   |         Response, Identity            |EAP: Response, Identity [RFC3748]
    |         |                   |(0)      <------------------  (0)      |
    |18,063   |                   |         Start     |                   |EAPOL: Start
    |         |                   |(0)      <------------------  (0)      |
    |18,065   |         Failure   |                   |                   |EAP: Failure
    |         |(0)      ------------------>  (0)      |                   |
    |18,268   |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |18,303   |                   |         Response, Identity            |EAP: Response, Identity [RFC3748]
    |         |                   |(0)      <------------------  (0)      |
    |18,307   |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |18,307   |                   |         Response, Identity            |EAP: Response, Identity [RFC3748]
    |         |                   |(0)      <------------------  (0)      |
    |37,073   |         Request, EAP-TLS [R           |                   |EAP: Request, EAP-TLS [RFC5216] [Aboba]
    |         |(0)      ------------------>  (0)      |                   |
    |67,941   |         Request, EAP-TLS [R           |                   |EAP: Request, EAP-TLS [RFC5216] [Aboba]
    |         |(0)      ------------------>  (0)      |                   |
    |98,805   |         Request, EAP-TLS [R           |                   |EAP: Request, EAP-TLS [RFC5216] [Aboba]
    |         |(0)      ------------------>  (0)      |                   |
    |129,684  |         Failure   |                   |                   |EAP: Failure
    |         |(0)      ------------------>  (0)      |                   |
    |144,697  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |160,125  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |175,561  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |190,996  |         Failure   |                   |                   |EAP: Failure
    |         |(0)      ------------------>  (0)      |                   |
    |206,002  |         Failure   |                   |                   |EAP: Failure
    |         |(0)      ------------------>  (0)      |                   |
    |206,204  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |212,103  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |227,535  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |242,970  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    /regards Piter 

    Hi,
    Did you ever try to configure re-authentication?
    Is the client is up and running if you connect it to the switch?
    Sent from Cisco Technical Support iPad App

Maybe you are looking for

  • "Can select all" option in Oracle BI Publisher

    Hi, I created a parameter in my report in Oracle BI Publisher and I selected "Multiple selection" and "Can select all" for this parameter. My data model is a sql query where I use this parameter in the "IN" condition like: where customer_name in (:cu

  • Classes in added jar on classpath not found

    Hi there, The javafx compiler seems to have trouble finding classes from a jar that was added to the lib directory of a javafx project. I experience this trouble when working with the Netbeans 6.5.1 IDE and javafx version 1.2. When trying to import a

  • BAPI for shipment

    Hi Experts, My requirement is : *for export ocean there is scenario like orders getting attached to a shipment, this shipment is the container shipment and shipment type is Z070 u2022     Similiarly there will many container shipments created, now al

  • Using google map polygon without map

    Hallo i use a polygon ( com.google.maps.overlays.Polygon) in a value object (fieldData) besides other data, later in the programm the polygons are displayed in a google map. new FieldData(".....","1",new Polygon([                     new LatLng(49.70

  • Activation problem after several years of use

    I have used Photoshop cs v8.0 for several years on the same computer.  Yesterday when I tried to open Photoshop a popup windo said I needed to register my product to get my activation code.  The online method would not work, the phone method went to